Editor’s Comments 


Welcome to the latest issue, 4(1) of the Journal of Physical Security. This is a very eclectic 
issue. It includes papers about museum security, using private citizens to neutralize shooters 
and armed assailants, and how to combine data from various security sensors to decide on 
an intrusion threshold. There is also a paper about techniques for detecting sticky bombs on 
motor vehicles, and a discussion of the peer-review process and physical security. 


The latter paper, by Associate Editor Jon Warner, is meant inter alia to address questions 
that our contributors and potential contributors have frequently asked about the peer review 
process used by this journal and many others. While a peer review process is common in 
science and engineering (and often familiar to researchers in cryptography, criminology, or 
cyber security), people who work in physical security may not have previously encountered 
the concept. 


Jon’s paper also contains a brief analysis of the type and number of journals and papers 
about physical security. One of the reasons we started the Journal of Physical Security (JPS) 
was because of a perceived lack of journals devoted to physical security, especially peer- 
reviewed journals. Jon’s analysis suggests their continues to be a need for this type of 
journal. 


As usual, the views expressed by the authors and the editor in the Journal of Physical 
Security are their own, and should not necessarily be ascribed to Argonne National 
Laboratory, UChicago LLC, or the United States Department of Energy. 


Some authors and readers have asked why there is no consistent formatting style between 
various papers in a given issue of JPS. We decided early on not to have strict formatting 
requirements for authors in terms of fonts, page layout, headings and reference styles, etc. 
There are 3 reasons for this: (1) Many contributors and potential contributors to JPS find it 
challenging enough to write and submit a paper without a lot of extra work required to format 
it to some strict style they may not be comfortable or familiar with. (2) Letting each author 
format as she sees fit reduces the amount of editing work we must do. If the journal 
continues to grow, we might be able to have a professional editorial staff assist with this, but 
for now, editorial work is done primarily outside business hours and on our own time. And (3) 
the field of physical security (arguably) suffers enough from conformity that a little variation in 
individual style is probably healthy. 


Editorial: 


After September 11", the United States indicated it would undertake an effort to reach out 
to the world to communicate our values and discourage the development of violent 
fundamentalism. Where is this effort? 


Some of the things that Americans have always been very good at are advertizing, 
entertainment, pop culture, video, music, the Internet, and mass marketing. Why aren’t the 
Internet and the airwaves (domestically and internationally) filled with slick, tightly edited, 
engaging songs, jingles, movies, and “commercials” discouraging terrorism and violent 
fundamentalism—painting these immoral acts in the most unfavorable light for the benefit of 
young people worldwide? A recent article by Bob Drogin and Tina Susman in the Chicago 
Tribune (March 14, 2010, page 23) indicates that radical fundamentalists and terrorists are 
effectively using the Internet and social web sites, often in conjunction with fast moving 
videos and loud music, to recruit young people to their cause. Why aren’t Americans—highly 
skilled at these kinds of things—countering in kind? 


Where are the heart-wrenching, personalized stories about the victims of terrorism, 
including children, people of Islamic faith, and family members of suicide bombers left behind 
after an act of political murder? Where are the interviews with psychologists and those who 
have been recruited as terrorists about techniques used by cults and terrorists for “brain 
washing’? Where are the pronouncements for young people from respected religious 
leaders that their religion does not condone killing innocents? Where is the geopolitical 
analysis indicating that terrorism has been largely ineffective; indeed, the United States is 
now more firmly entrenched in the Middle East, Iraq, Afghanistan, and Pakistan than before 
9/11. Other than making air travel an adventure in bureaucratic foolishness, what has 
terrorism actually accomplished? 


The United States (and Hollywood) has a huge effect on popular culture and on how even 
people in third world countries view the world. Why is this not being put to good use in 
fighting terrorism, in making violent radicalism, suicide bombing, and cult programming 
decidedly “uncool”? 


As vulnerability assessors, we often see examples of where the concept of “layered 
security” (also Known as “security in depth”) is used as a kind of magical mantra that 
neutralizes all security concerns, and mitigates the need to improve security. If only layered 
security where indeed a silver bullet! 


| authored a paper in the January issue of Security Management [RG Johnston, “Lessons 
for Layering”, Security Management 54(1), 64-69 (2010)] that discusses some of the potential 
problems with layered security. In continuing this theme, here is my “self assessment tool” to 
help you decide if a given layer (or additional layers) of security makes sense. 


Like my previous “self-assessment tools” (See for example, “How Flawed is Your Security 
Program”, CSO Online, http://www2.csoonline.com/quizzes/security_ assessment/index.php, 
or the Vulnerability Disclosure Index, pp. 17-35 of JPS Volume 3), this self-test shouldn’t be 
taken overly seriously, but | believe it does raise important points that are worth 
contemplating. 
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Self-Assessment Survey: 
Does Layered Security Make Sense for Your Security Application? 


The following self-assessment can be used to determine if a new security layer makes 


sense (or if an existing layer should be maintained alongside other security layers). This self- 


assessment shouldn't be taken overly seriously—it’s not all that rigorous and the scoring is 
somewhat arbitrary—but it can nevertheless be useful for encouraging careful thinking about 
the layer in question. 


Directions: Examine each of the 21 questions below about the security layer (or measure) 
of interest. For each question, decide if the answer is yes, no, or maybe/unknown. Circle 
your answer for each question. Scoring: Add up the number of circled answers in column B 
which we call NB. Add up the number of circled items in column D which we call ND. Your 
total score is (2*NB) + ND. (Column B contains the “ideal” answers if the security layer in 
question makes sense to implement or keep.) 


Interpreting the score: The maximum possible score is 42. If the score is greater than 36, 
the security layer in question is probably a good idea. If the score is less than 29, the 
security layer is probably not a good idea and will likely decrease overall security. If the 
score is between 29 and 36 (inclusive), the security layer needs more analysis or 
modifications in terms of its effectiveness and interactions vis a viz the other security layers; 
thinking carefully about the questions in the table might help clarify the issues. Thus: 


Score 37 to 42, the security layer in question is probably a good idea. 
Score 29 to 36, the security layer needs more study, analysis, or refinement. 


Score 0 to 28, the security layer is probably not a good idea and will likely decrease overall 
security. 
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Question A B C D 

1. Is introduction of the new layer being used (consciously or 
unconsciously) to avoid having to think carefully about existing security yes no maybe/unknown 
vulnerabilities or how to optimize the existing layers? 
2. Is the new layer being installed out of fear or desperation or urgency or Benin 
cognitive dissonance (mental tension between our hopes and our fears)? a ea! cc arena ah 
3. Is the new layer being installed primarily because funds become 
available for it, or because non-security mangers or executives ordered it? oe ie my bestows 
4. Is the motivation for the new security layer essentially a “vitamin 
mentality” —“if some security is good, then more must be better’’? ae i may Perualnows 
5. Do you think the new layer is undefeatable? yes no maybe/unknown 
6. Have you taken steps to insure that alarms generated from the other 
security layers won’t be ignored or discounted because of the existence of yes no maybe/unknown 
the new layer? 
7. Will the new layer distract security personnel or cause less attention to 
be paid to the other layers of security? oe a na peows 
8. Does the new layer have buy-in from the security personnel or others 
sho ncaseaD yes no maybe/unknown 
9. Will the new layer dramatically increase the complexity of providing 
security, or the time and/or costs involved? ae as ima yDeuokuows 
10. Will installation of the new layer and the learning curve associated 
with it introduce an extended period of weakened security? tis ie may pertakiows 
11. Is the new layer specifically designed to deal with known 
vulnerabilities sac modes for ihe other layers of security? a ii mayperuulnows 
12. Are there specific, rigorous reasons to believe the new layer will 
improve your security (as opposed to just relying on hope, speculation, yes no maybe/unknown 
sales hype, hearsay, or assumptions)? 
13. Can you summarize in 2-3 sentences (without relying on sales hype) 
exactly how the new layer will improve your security? a me may pe uavows 
14. Are the vulnerabilities and attack modes for the other layers of 
security well understood by you, and have you tried to defeat them? as as may be knows 
15. Are the vulnerabilities (including any software vulnerabilities) and 
attack modes for the new security layer well understood by you? = ss maypeobnows 
ee = you have a good understanding of how the new security layer oe Ad nay bemoan 
17. Is the new layer of security relatively untested, and is it high-tech and 

3 : yes no maybe/unknown 
generating a lot of buzz/hype/excitement? 
18. Are you clear on whether the new layer is meant to be serial, parallel, 
redundant (backup), or some combination? a a mayen 
19. Are the skills and methods an adversary would use to attack the new 

ae yes no maybe/unknown 
layer similar to the other layer(s)? 
20. Are there serious common modes of failure, e.g., can one event 
neutralize multiple layers of security? (For example, if the electrical 
power is shut off by an adversary, will the new layer and other layer(s) ae a maypeakvows 
stop working?) 
21. Does the new layer compete or interfere with existing security layers 
in terms of physical space (e.g., there isn’t enough room in the hasp for 
both a lock and a seal), maintenance, upgrades, funding, attention by yes no maybe/unknown 


frontline personnel, power requirements, or electrical/radio frequency 
interference? 
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NB= ND= 
Instructions: 

1. Total up the number of items circled in column B = NB. 
2. Total up the number of items circled in column D = ND. 
3. Score = (2 * NB) + ND. 


Final Score = 2NB + ND = 


We are often asked in the Vulnerability Assessment Team at Argonne National Laboratory 
how we do vulnerability assessments (VAs) and what constitutes “best practice” for doing 
VAs. Here are the tips and philosophy that we offer: 


Tips for Doing Effective Vulnerability Assessments 
1. Do them early, iteratively, and often (ideally continuously). Frequently, we are handed a 
security device or system to evaluate only when it is ready to be fielded or manufactured— 


and when it is too late economically, politically, and emotionally to make any changes. 


2. Use independent, ideally external vulnerability assessors who want to find problems and 
solutions, and who have no conflicts of interest (not just financial) or wishful thinking. 


3. No “shoot the messenger”. 


4. Don’t allow promoters, developers, manufacturers, or vendors of the security 
device/system to do the VA (though they should provide input). 


5. Use the personnel with the right mindset and/or skill set: hackers, hobbyists, creative 
types, troublemakers, questioners of authority, loophole finders, skeptics/cynics, physicists, 
chemists, computer geeks, artisans, graphic artists, nerds, hands-on technicians, antique & 
auto body repair experts, ... 


6. Engineers are not typically very good at VAs or designing for effective security. The 
mindset is all wrong. 


7. Follow good brainstorming and creativity practices based on modern research into how 
innovative ideas (attacks and countermeasures in this case) are generated. 


8. Do the VA in context: understand the adversaries, the facilities, the personnel, their 
training, and the overall security goals. 


9. Don’t underestimate the adversary. 


10. Don’t let the good guys define the problem. The bad guys can attack how, where, and 
when they want. They don’t have to attack at the point of your greatest strength, or attack 
security devices and systems just because you have installed them. 


11. Don’t view the VA as a test to pass, a certification procedure, a scapegoating 
mechanism, or a rubber stamp. VAs are for the purpose of improving security only. 


12. Don’t accept a VA that finds no vulnerabilities. It is wrong. Vulnerabilities are always 
present in large numbers. 


13. Don’t think you can find all the vulnerabilities, or that you won't find more next time, or if 
different people do the VA. 


14. Pay special attention to what the promoters, developers, manufacturers, and vendors are 
most proud and/or confident about, and to the high-tech features. Those are usually the 
easiest to attack. 


15. Concentrate on low-tech attacks, even on high-tech devices, systems, and programs 
(because high-tech attacks will not be needed). 


16. Do VAs holistically, not by module, sub-component, or function. Vulnerabilities are often 
found at the interfaces. 


17. There should be no unrealistic constraints on time and resources available for the VA. 
And no blocking the review of certain features or sub-assemblies. 


18. The VA should point out possible countermeasures, not just vulnerabilities. 


19. But the vulnerability assessors probably don’t have the best understanding of the most 
practical countermeasures to implement. 


20. The VA should lead to more many more vulnerabilities and countermeasures than can 
be implemented at one time. 


21. Don’t forget that true counterfeiting is rarely necessary for an adversary, just token 
counterfeiting, i.e., the device needs only be superficially mimicked. This is much easier than 
true counterfeiting (which itself is rarely as difficult as people think). 


22. View security from the standpoint of the adversary: Really get inside their heads. Use 
Method Acting techniques. 


23. The best attacks and countermeasures come late! 


24. A good VA report should point out the good things first (so they will continue, and so 
there is a willingness to hear about the weaknesses). 


25. Vulnerabilities are good news, not bad news! Finding a vulnerability means you can do 
something about it. 
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26. Distrust anybody who does “rigorous”, formalistic, or “reproducible” VAs, who claims to 
be able to find all the vulnerabilities, or who is enamored with standards or certifications for 
VAs. Nobody currently has enough understanding of security or VAs to warrant these things. 


27. In the end, a vulnerability assessment is not so much about technology and security 
strategy as it is an exercise in psychology and predicting human behavior: how the bad guys 
will attack. 


28. That being said, you usually will have better security if you concentrate on vulnerabilities 
(security weaknesses) than on threats (who might attack with what probability). If you get the 
vulnerabilities right, you will be ok even if you get the threats wrong. But if you only analyze 
the threats without an appreciation for the vulnerabilities, you are probably in trouble. 


Philosophy on Vulnerability Assessments 
(Especially for Buildings, Facilities, Infrastructure and Security Programs) 


1. There are a number of conventional tools for finding security vulnerabilities, especially in 
critical infrastructures or security programs. These include security surveys, risk 
management, design basis threat, CARVER Method, Delphi Method, software vulnerability 
assessment tools, security audits, infrastructure modeling, etc. 


2. These tools have some value, and indeed we have used them all. 


3. Experience has shown, however, that these methods do not usually result in dramatic 
improvements to security, nor do they reliably predict catastrophic security incidents that are 
novel and rare. Even worse, they often completely miss obvious vulnerabilities. In the case 
of computer modeling of vulnerabilities, the models themselves are rarely validated in any 
meaningful way. 


4. There are a number of reasons why these tools fall short, including that they are too often: 


* unimaginative 

¢ full of sham rigor 

* not context oriented 

* inflexible & close-ended 

* not sufficiently predictive 

* ignorant of the insider threat 

* used to justify the status quo 

* not focused on the right issues 

¢ harmed by the fallacy of precision 

* blind to critical ground-level details 

limited to protecting physical assets 
dominated by groupthink & bureaucrats 
plagued by “shoot the messenger” syndrome 
hampered by arbitrary, made-up probabilities 
* not validated by hands-on or real-world testing 
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ineffective at estimating true consequence costs 

not done from the perspective of the adversaries 

unable to recommend effective countermeasures 

confused in thinking that a VA is a test to be passed 

obsessed with past security incidents, not future ones 

binary in outlook (something is either secure or it is not) 

overly focused on barriers, technology, & physical layout 

distracted by tables, matrices, spreadsheets, & software programs 
focused on threats to the detriment of understanding vulnerabilities 
insistent on letting the good guys define the problem, not the bad guys 
insistent on letting the existing security infrastructure and strategies define 
the problem, not the bad guys 

conducted by personnel who don’t want to find problems—so they don’t 


5. The overall goal of an effective vulnerability assessment should be to predict what the 
adversaries might do. This is fundamentally a psychology problem, not a hardware, 
technology, assets, infrastructure, building design, management, or digital computer 
modeling problem. But you can’t reliably predict what someone might do if you can’t “get 
inside his head”. Conventional, formalistic vulnerability assessment tools largely ignore the 
adversary’s psychology, perspectives, and motivation. Moreover, formalistic tools are not (for 
the most part) tools that an adversary even uses, and thus are not effective at mimicking or 
predicting his behavior in an expedient and realistic manner. 


6. An Adversarial Vulnerability Assessment goes beyond formalistic, unimaginative, semi- 
quantitative, linear methods to view the security problem from the perspective of the 
adversary. The emphasis is on using creative assessors who are psychologically pre- 
disposed to effectively spoofing hardware and organizations, who have hands-on (“hacker”) 
experience defeating security, and who attempt (both by their intrinsic nature and with the aid 
of psychologists and others) to think, see, and feel what the adversaries think, see, and feel. 
Modern techniques for effective brainstorming and creativity are employed, based on many 
decades of research into how new ideas can be best generated. It is also essential to 
accurately understand the security organization’s goals, attributes, personnel, culture, and 
climate. 


7. The Argonne Vulnerability Assessment Team conducts Adversarial Vulnerability 
Assessments using a multi-disciplinary team approach. Hackers, technicians, physicists, 
engineers, computer scientists, artists, sociologists, and psychologists are employed to 
understand the fundamental issues behind any given security application, and to discover 
and demonstrate security vulnerabilities, as well as practical countermeasures. This 
approach has repeatedly resulted in the discovery of surprising, easy-to-exploit vulnerabilities 
totally overlooked by security managers, designers, manufacturers, and vendors, as well as 
other vulnerability assessors using more conventional techniques. 


8. The lessons of our work is that there are almost always fairly simple and inexpensive 
countermeasures for eliminating, or at least partially mitigating, even the most serious 
vulnerabilities. The vulnerabilities have to be known and acknowledged, however, before 
such countermeasures can be implemented. 
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9. Some organizations do on-the-ground “realistic” exercises, and/or talk about the 
importance of creative vulnerability assessments, but the actual results often fall far short of a 
true adversarial vulnerability assessment. 


-- Roger Johnston, Argonne National Laboratory, February 2010. 
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